Wednesday, April 8, 2020

The extra Zoom setting you may not know about to control access for phone-in attendees

What if I told you, that your Zoom meeting password does not apply to users calling in by phone?

Over the past several weeks the rest of the world has found out about the Zoom video conferencing system.  In this time of crisis, it has become essential for work, school, and even play. However, people have also been finding out about the security and privacy issues related to Zoom. I'm now going to share one more with you.

Trusted CI staff have discovered that, by default, meetings that have been protected with a meeting password do not require the password for users calling in by phone. There is an extra setting to control by-phone access and we think that this extra setting may not be not known by many Zoom users. Users who call in using one of the Zoom gateway phone numbers will not normally be prompted for a password. This potentially leaves sensitive meetings vulnerable to eavesdropping. Although this issue isn't a vulnerability in Zoom, it allows the users setting up meetings to create a vulnerability in their own meetings. It is a user interface and security awareness issue.

In order to enable password protection for by-phone users, you must locate the setting "Require password for participants joining by phone" as shown below, which in some interfaces may be located in the advanced settings.

Screenshot of the extra "by phone" setting to consider to protect a meeting
A second closely related issue is that enabling this "Require password for participants by phone" setting does not immediately change the configuration of existing meetings that have already been set up. The owner of the meetings must go into each meeting configuration, edit the meeting, and then save it without making any changes to the meeting. According to our observations, this regenerates the meeting and applies a phone password to the meeting. The phone password will be automatically generated and become part of the meeting invitation. You would then share this new password and meeting invite with your meeting participants who need it.
Trusted CI's test of faking a number

A third issue to be aware of here is that phone number caller id information can be faked. Although this is not new by any means, there has been little to no warning about this in relation to using Zoom. This vulnerability isn't Zoom's fault as the flaw exists in the design of the phone system.

However, because of this, you should not use a phone number in the participants list to authenticate a participant. A malicious user could change their number to that of an authorized user to avoid detection.

During our research into these issues, we found that most of the existing documentation outside of the Zoom website itself does not mention the "Require a phone password" extra setting that must be applied. Similarly, it is not obvious that this must be done when creating a meeting and setting a password, as there is no feedback from the interface that this must be done or that your meeting will not be fully protected.
The Zoom meeting password interface, showing no indicators of an extra by-phone setting.

Several of our security colleagues were also unaware of this extra "Require a password for by-phone users" setting, suggesting that the setting is unknown to most Zoom users.

Our recommendations for Zoom, the company,  is to add some type of indication near the meeting password setting that informs users that there is an additional setting for controlling access by phone and that Zoom should inform their existing install base about these issues.  Alternatively, this option should be enabled by default.

How Trusted CI discovered the issues

On February 26th, 2020, Mark Krenz set up a meeting with a colleague on the COSMIC2 science gateway project and set a meeting password to try to protect the meeting. When the colleague called in by phone, Mark asked the user if they needed a password to get in, which to his surprise, they did not. Mark then performed further testing of the issue with the help of Trusted CI members including Andrew Adams, Shane Filus, Ishan Abhinit, and Scott Russell. It was quickly found that changing the "require password by-phone" setting did not set it on existing meetings and that the existing meetings needed to be edited and re-saved. The team above wrote up a security report to send to Zoom, which was done so on March 6th through the hackerone.com website, which acts as a gateway for submitting such reports to companies. This meant that there was then a 30 day embargo on releasing this information to the public. During this time, the COVID19 crisis began to unfold in the western countries and people started heavily using Zoom. This almost immediately led to many reports of various unwanted incidents within Zoom meetings, so called Zoombombing,  and other vulnerabilities being discovered and announced. During this time we discussed the issue internally, met with Zoom to discuss the issue, and provided our recommendations for a way forward. We also monitored the media for any signs that this was being exploited, but found no direct evidence that it was being exploited. We also looked for these recommendations in news reports that were surfacing over the past month and found none that directly mentioned this issue.

Related links: